Skip to primary navigation Skip to content
April 14, 2016

Subcommittee Discusses Cybersecurity at the IRS

(Washington, DC) – Today, the Research and Technology Subcommittee held a hearing entitled, “Can the IRS Protect Taxpayers’ Personal Information?” The purpose of the hearing was to review the Internal Revenue Service (IRS) efforts to electronically authenticate the identity of taxpayers filing a tax return or accessing tax account services.

During the 2015 filing season, criminals gained fraudulent access to the personal identifying information (PII) of more than 700,000 taxpayers using the IRS online application “Get Transcript.” In addition, the IP PIN online tool - specifically intended to protect taxpayers who were already victim to, or at high risk for, identity theft - was breached, possibly allowing criminals to file fraudulent tax returns and steal taxpayers’ tax refunds. IRS subsequently shut down these tools.

Ranking Member of the Subcommittee, Daniel Lipinski (D-IL) said in his opening statement, “Data breaches at the IRS are particularly troubling and we should closely examine what IRS has done wrong when it comes to protecting the personal information of Americans, how it can do better in regard to cybersecurity, and what Congress can do to better support IRS cybersecurity efforts.  In meeting their obligation to pay taxes, Americans should have confidence that the IRS is taking all possible steps to protect them from cyber thieves.”

Ranking Member Eddie Bernice Johnson (D-TX), in her statement for the record, expressed that a series of cuts by Congress over the past several years to the IRS’s budget may have contributed to compromised information security, “These spending cuts, which triggered a 14 percent reduction in IRS employees, are a significant factor in weakened taxpayer services, reduced detection and enforcement of fraudulent claims, and the agency’s ability to hire qualified staff needed to fulfill its many requirements under the Federal Information Security and Modernization Act. And if the House had its way in recent years, the agency’s budget would have been cut even further.

“So let us be critical of some of the management decisions made at the Internal Revenue Service with respect to protecting taxpayers’ personal information. And let us be sure they are putting the people, systems, and processes in place to make better decisions going forward. But let us also be willing to provide the agency with the financial resources and other authorities they need to accomplish these goals.”

Congressman Lipinski discussed the role of the National Institute of Standards and Technology (NIST) in federal cybersecurity. “In the context of this hearing it is important to talk about NIST, an agency that this subcommittee has jurisdiction over. NIST plays an important role in developing technical standards and providing expert advice to agencies across the government as they carry out their responsibilities under the Federal Information Security Modernization Act.”

“It is clear that the IRS did not follow the risk analysis or cybersecurity and authentication standards set by NIST when it set up these portals. The most important question is “why?” Was it a lack of understanding of the standards? In this case, we need to have NIST here to talk about the standards and how to make them clearer. Or are there technical barriers to implementing the NIST standards at all? In this case, we need to have information on why these applications were allowed to go live in the first place. Or was this a strategic decision driven by tradeoffs between consumer convenience and security? In that case, we must be clear: the IRS has a unique role among federal agencies and holds information on taxpayers that few others have. Protection of taxpayer data must be a top-level priority and we must work to ensure that a breach of this nature never happens again.” 

Commissioner Koskinen discussed the importance of getting streamlined critical pay authority to be able to retain and to hire cybersecurity experts more quickly. He said in his testimony, “An important proposal is the reauthorization of so-called streamlined critical pay authority, originally enacted in 1998, to assist the IRS in bringing in individuals from the private sector with the skills and expertise needed in certain highly specialized areas, including IT, international tax and analytics support. This authority, which ran effectively for many years, expired at the end of FY 2013 and was not renewed.”

“The loss of streamlined critical pay authority has created major challenges to our ability to retain employees with the necessary high-caliber expertise in the areas mentioned above. In fact, out of the many expert leaders and IT executives hired under critical pay authority, there are only 10 IT experts remaining at the IRS, and we anticipate there will be no staff left under critical pay authority by this time next year. The President’s FY 2017 Budget proposes reinstating this authority, and I urge the Congress to approve this proposal.”

Ranking Member Johnson said after the hearing, “At the hearing today, Members stressed the necessity of protecting the U.S. taxpayers’ personal information, and I think that we can all agree that is of the utmost importance. We also heard about the series of cuts to the IRS’s budget and the lapse of their critical pay authority. If we want the IRS to be in the best position possible to protect the taxpayers, we must give them the resources necessary to do so and the authority they need to hire the best and brightest in the field. I hope we in Congress will take what we heard today to heart and work to renew the critical pay authority and ensure that the IRS has the budget they need to do their jobs and protect the taxpayer.”

Witnesses:
The Honorable John Koskinen, Commissioner, Internal Revenue Service
The Honorable J. Russell George, Inspector General, Treasury Inspector General for Tax Administration
Mr. Gregory Wilshusen, Director, Information Security Issues, U.S. Government Accountability Office

Can the IRS Protect Taxpayers’ Personal Information?